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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 
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earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )S Responsive to communication(s) filed on 29 November 2004 . 
2a)K This action is FINAL. 2b)n This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 7-29 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 0 Claim(s) is/are allowed. 

6) ^ Claim(s) 1-21 and 27-29 is/are rejected. 

7) S Claim(s) 22-26 is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10)^ The drawing(s) filed on 25 July 2000 is/are: a)D accepted or b)S objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 1 )[3 The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 
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application from the International Bureau (PCT Rule 17.2(a)). 
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DETAILED ACTION 

1. Claims 1-29 have been examined. Claims 1, 3-6, 8, 11-17, 20, 21, and 27-29 have been 
amended in an amendment filed 1 1/29/2004. Claims 1-29 have been examined 

Dramngs 

2. This application lacks formal drawings. The informal drawings filed in this application 
are acceptable for examination purposes. Formal drawings must be made in reply to this Office 
action. See 37 CFR 1 .85(a). 

Response to Amendment 

3. The evidence submitted is insufficient to establish a conception of the invention prior to 
the effective date of the Global Transaction Company (Renner), Intemational Application 
Publication No. WO 01/82190 Al. While conception is the mental part of the inventive act, it 
must be capable of proof, such as by demonstrative evidence or by a complete disclosure to 
another. Conception is more than a vague idea of how to solve a problem. The requisite means 
themselves and their interaction must also be comprehended. See Mergenthaler v. Scudder, 
1897 CD. 724, 81 O.G. 1417 (D.C. Cir. 1897). The declaration under 37 CFR 1.131 sets forth a 
conclusion (see item 1; "disclosed to [Gordon Freedman] [applicant's] idea for a 'flexible 
method of user authentication'"). Facts, not conclusions must be alleged. See MPEP § 715.07 I. 
Additionally, vague and general statements in broad terms does not stratify the requirements of 
37 CFR 1.131(b). See MPEP § 715.07 I and In re Borkowski, 505 F.2d 713, 184 USPQ 29 
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(C.C.P.A. 1974). Evidence must be presented with explanation as to how the limitations of the 
claimed invention are supported by the evidence. Id. 

4. The evidence submitted is insufficient to establish dihgence from a date prior to the date 
of reduction to practice of Global Transaction Company (Renner), International Application 
Publication No. WO 01/82190 Alto either a constructive reduction to practice or an actual 
reduction to practice. The declaration under 37 CFR 1.131 fails to show any facts establishing 
diligence. See MPEP § 715.07(a). 

Claim Rejections - 35 USC §102 

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 1 22(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

6. Claims 1-10, 12-14, 16-21, and 27-29 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Global Transaction Company (Renner), International Application Publication No. 
WO 01/82190 Al. 

As per claim 1 , Renner discloses a method authorizing a user in communication with a 
workstation (see page 6, lines 8-21; figure 3, items 5, 6, 20, and 101 ; a user in communication a 
personal computer (PC) and with a Web server) comprising: 
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automatically determining at least an available user information entry device in 
communication with the workstation (see page 3, lines 4-8; a password log-in, a smart card, 
smart card reader, and biometric reader operable to identify user through installation software); 

determining user authorization methods each requiring data only from available user 
information entry devices from a plurality of user authorization methods (see page 7, lines 23-25; 
page 8, lines 1-4; software components on the PC collect claimed identity data manipulating the 
smart card and biometric reader if those options are being used); 

providing user authorization information in accordance with one of the determined user 
authorization methods (see page 7, lines 23-25; page 8, lines 1-4; software components on the 
PC collect claimed identity data manipulating the smart card and biometric reader if those 
options are being used); and 

registering the user authorization information provided against stored data to perform at 
least one of identifying and authorization the user (see page 7, lines 23-25; page 8, lines 1-4; 
retrieve evidence to support claimed identity and provides this and the claimed identity to the 
identity authority; page 8, lines 5-9; identity authority examines the evidence and generates a 
response upon a comparison; page 8, lines 8-14; where a successful comparison results in an 
identity notification and authorization to access resources such as a requested Web page). 

As per claim 2, Renner further depicts: 

a plurality of available user information entry devices (see page 3, lines 4-8; a password 
log-in, a smart card, smart card reader, and biometric reader operable to identify user). 
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As per claim 3, Remier then describes: 

selecting from the determined user authorization methods the one method wherein the 
provided user authorization information is provided in accordance with the selected one method 
(see page 4, lines 5-7; a Federal government Web site requiring biometric verification; see page 
7, lines 23-25; page 8, lines 1-4; software components on the PC collect claimed identity data 
manipulating the smart card and biometric reader). 

As per claim 4, Renner also points out: 

providing to the user a list of the determined user authorization methods in which the user 
selects from the provided list, a single user authorization method (see page 6, lines 9-13; access 
is predominantly controlled in accordance with specific rules and criteria related to individual 
users and transactions; page 9, lines 17-25; where a Web side provides scripts to use the identity 
verification service on the user's PC such that user chooses a script method for identification). 

As per claim 5, Renner additionally elaborates: 

determining security information associated with the user and with the selected user 
authorization method, the security information different for different user authorization methods 
(see page 15, lines 1-5; in the order of relative importance and security needed for the transaction 
used, the tiered verification fiinctions of identification, verified identification, and verified 
transaction signature may correspond to password log-in, smart card verification and biometric 
(e.g. fingerprint) identification demands). 
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As per claim 6, Remier then describes: 

that each user authorization method is associated with a security level and in which at 
least one of identifying and authorizing the user with the associated security level (see page 4, 
lines 3-12; the Federal government requiring biometric verification for an applicant of benefits 
and an online drug retailer requiring certification for a prescribing doctor's identity and 
authorization; see page 15, lines 1-5; in the order of relative importance and security needed for 
the transaction used, the tiered verification functions of identification, verified identification, and 
verified transaction signature may correspond to password log-in, smart card verification and 
biometric (e.g. fingerprint) identification demands). 

As per claim 7, Renner alternatively discusses: 

each determined method is supported absent fiirther installation of software components 
(see page 3, lines 8-11; software may be stand alone for exclusive use with the system). 

As per claim 8, Renner moreover suggests: 

retrieving a security key fi:*om a key storage location in dependence on upon the 
registration (see page 13, lines 6-9; figure 3, items 11, 12, and 104; the user enrolling in a 
verification system by providing a user name and password to be filed in an authority's database; 
see page 15, lines 11-13; upon the user's providing the user name and password, the authority 
retrieves the user identity profile data containing the user name and password). 



As per claim 9, Renner further elaborates: 
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that the security key is an encryption key (see page 14, lines 3-5; that the security key 
retrieved for authorization is in the form of an encryption key used to encrypt authorization data 
exchanged between the user's PC and the K) authority). 

As per claim 10, Renner additionally specifies: 

that the security key is a password (see page 13, lines 6-9; figure 3, items 11, 12, and 104; 
the user enrolling in a verification system by providing a user name and password to be filed in 
an authority's database; see page 15, lines 11-13; upon the user's providing the user name and 
password, the authority retrieves the user identity profile data containing the user name and 
password). 

As per claim 12, Renner also mentions: 

upon access to secured data prompting an individual using the workstation to provide 
user authorization information (see page 13, lines 18-22; prompting the user to comply with an 
identity demand; and 

registering the user authorization information provided against stored data in accordance 
with a user authorization method to perform one of providing access to the secured data and 
denying access to the secured data in dependence upon the registration results (see page 15, lines 
18-25; the ID Authority either approves or disapproves the user identity resulting in authority to 
conduct secure communications exchanging secure data. 
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As per claim 13, Remier illustrates a method of authorizing a user in communication with 
a workstation (see page 6, lines 8-21; figure 3, items 5, 6, 20, and 101; a user in conraiunication a 
personal computer (PC) and with a Web server) comprising: 

providing a plurality of supported user authorization methods and associated security 
levels for each user authorization method (see page 15, lines 1-5; in the order of relative 
importance and security needed for the transaction used, the tiered verification functions of 
identification, verified identification, and verified transaction signature may correspond to 
password log-in, smart card verification and biometric (e.g. fingerprint) identification demands); 

providing user authorization information to the workstation (see page 7, lines 23-25; page 
8, lines 1-4; software components on the PC collect claimed identity data manipulating the smart 
card and biometric reader if those options are being used); 

determining fi"om the plurality of supported user authorization methods an authorization 
method requiring data only fi'om the provided user authorization information (see page 7, lines 
23-25; page 8, lines 1-6; fi"om the claimed identity data collected fi-om any or the smart card and 
biometric reader, the identity authority examines the evidence provided in the packet the user's 
PC sends in accordance with the method for the data); and 

registering the user authorization information provided against stored data to perform at 
least one of identifying and authorizing the user with the associated level of security (see page 8, 
lines 5-9; if the method succeeds, the user is registered and provided a unique verification code). 



As per claim 14, Renner further points out: 
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selecting from the determined user authorization methods the one method wherein the 
provided user authorization information is provided in accordance with the selected one method 
(see page 4, lines 5-7; a Federal government Web site requiring biometric verification; see page 
7, lines 23-25; page 8, lines 1-4; software components on the PC collect claimed identity data 
manipulating the smart card and biometric reader). 

As per claim 16, Renner elaborates: 

determining security information associated with the user and the security level, where 
the security information is different for different user authorization methods (see page 4, lines 3- 
12; the Federal government requiring biometric verification for an applicant of benefits and an 
online drug retailer requiring certification for a prescribing doctor's identity and authorization; 
see page 15, lines 1-5; in the order of relative importance and security needed for the transaction 
used, the tiered verification functions of identification, verified identification, and verified 
transaction signature may correspond to password log-in, smart card verification and biometric 
(e.g. fingerprint) identification demands). 

As per claim 17, Renner moreover suggests: 

retrieving a security key from a key storage location in dependence on upon the 
registration (see page 13, Hnes 6-9; figure 3, items 11, 12, and 104; the user enrolling in a 
verification system by providing a user name and password to be filed in an authority's database; 
see page 15, lines 11-13; upon the user's providing the user name and password, the authority 
retrieves the user identity profile data containing the user name and password). 



f 
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As per claim 18, Remier further elaborates: 

that the security key is an encryption key (see page 14, lines 3-5; that the security key 
retrieved for authorization is in the form of an encryption key used to encrypt authorization data 
exchanged between the user's PC and the ID authority). 

As per claim 19, Renner additionally specifies: 

that the security key is a password (see page 13, lines 6-9; figure 3, items 11, 12, and 104; 
the user enrolling in a verification system by providing a user name and password to be filed in 
an authority's database; see page 15, lines 1 1-13; upon the user's providing the user name and 
password, the authority retrieves the user identity profile data containing the user name and 
password). 

As per claim 20, Renner also mentions: 

upon initiating access to secured data prompting an individual using the workstation to 
provide user authorization information (see page 13, lines 18-22; prompting the user to comply 
with an identity demand; and 

registering the user authorization information provided against stored data in accordance 
with a user authorization method to perform one of providing access to the secured data and 
denying access to the secured data in dependence upon the registration results (see page 15, lines 
18-25; the ID Authority either approves or disapproves the user identity resulting in authority to 
conduct secure communications exchanging secure data. 
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As per claim 21, Remier depicts a method of authorizing a user in communication with a 
workstation (see column 1, lines 41-50; an authorized user interacting with a computer) 
comprising: 

providing a plurality of user authorization methods, some requiring user authorization 
information from more than one data input device (see Abstract; figure 3, items 1, 2, and 3; any 
single or combination of password log-in, smart card, or biometric routines may be required for 
authorization); 

providing user authorization information (see page 7, lines 23-25; collecting claimed 
identity data); 

registering the provided user authorization information against data stored in a database 
of user authorization data (page 15, lines 11-15; figure 3, items 12 and 104; comparing the user 
entered authorization information with data from the user identity profile in the ED authority's 
database); 

when the data matches the stored data within predetermined limits, determining a security 
level for the individual in dependence upon the provided user authorization information and the 
plurality of user authorization methods (see page 15, lines 19-22; with an approved secure 
identity, communications proceed with level of identification of Ic, 2c, or 3c); and 

authorizing the user access within limits based upon determined security level (see page 
15, lines 23-25; limiting access to a user with a sufficiently verified identity from making 
purchases in excess of a given value because they do not have such authority to do so). 
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As per claim 27, Remier then describes: 

selecting a user authorization method from the plurality of user authorization methods 
during execution (see page 4, lines 5-7; a Federal government Web site requiring biometric 
verification); and 

providing user authorization information in accordance with the selected user 
authorization method (see page 7, lines 23-25; page 8, lines 1-4; software components on the PC 
collect claimed identity data manipulating the smart card and biometric reader). 

As per claim 28, Renner also discloses: 

automatically determining the presence or absence of user information entry devices in 
communication with the workstation (see page 3, Hues 4-8; a password log-in, a smart card, 
smart card reader, and biometric reader operable to identify user through installation software); 
and 

determining user authorization methods from the plurality of user authorization methods 
that require data only from user information entry devices which are present (see page 7, lines 
23-25; page 8, lines 1-4; software components on the PC collect claimed identity data 
manipulating the smart card and biometric reader if those options are being used). 

As per claim 29, Renner then describes: 

selecting a user authorization method from the plurality of determined authorization 
methods (see page 4, lines 5-7; a Federal government Web site requiring biometric verification); 
and 
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providing user authorization information in accordance with the selected user 
authorization method (see page 7, lines 23-25; page 8, lines 1-4; software components on the PC 
collect claimed identity data manipulating the smart card and biometric reader). 

Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

8. Claims 1 1 and 15 are rejected imder 35 U.S.C. 103(a) as being unpatentable over Global 
Transaction Company (Renner), International Application Publication No. WO 01/82190 Al as 
applied to claims 1 and 13, respectively, above, and further in view of Lamber, U.S. Patent No. 
6,193,153 81. 

Renner discloses the methods of claim 1 and 13. He describes: 

the Web server periodically checking the identification verification performed by the 
identity authority (see page 10, lines 15-22); and 

registering the verification performed against stored verification stored to provide access 
or deny access to secured data (see page 10, lines 15-22) 

However, he does not explicitly teach, at intervals, prompting an individual to provide 
authorization information. 
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Lamber illustrates: 

at intervals prompting an individual using the workstation to provide user authorization 
information (see column 9, lines 31-39; figure 4, items 500 and 560; at random and/or 
predetermined intervals, prompting the user to physically interact with the event converter by 
pushing buttons, touching a key pad, facing a camera, or speaking; see column 9, lines 18-21; 
resulting in the non-intrusive identification of the user); and 

registering the user authorization information provided against stored data to perform one 
of providing access to secured data and denying access to secured data in dependence upon 
registration results (see column 2, lines 32-35; to grant or deny an identified user access to 
directories or e-mail access). 

Therefore, it would have been obvious to one of ordinary skill in the computer art at the 
time the invention was made to combine the method of Renner with the prompting at intervals to 
provide user authorization information for continuous monitoring of biometric data of users of 
restricted or secure areas for verification purposes (see column 2, lines 16-18). 

Allowable Subject Matter 

9. Claims 22-26 are objected to as being dependent upon a rejected base claim, but would 
be allowable if rewritten in independent form including all of the limitations of the base claim 
and any intervening claims. 

10. The following is a statement of reasons for the indication of allowable subject matter: 
Claims 22-26 are drawn to a method of authorizing a user in communication with a 

workstation. The closest prior art. Global Transaction Company (Renner), International 
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Application Publication No. WO 01/82190 Al, discloses a similar method. However, Renner 
neither teaches nor suggests limiting access to security keys based on a security level determined 
for the individual in dependence upon the provided user authorization information and the 
plurality of user authorization methods. This particular step incorporated into intervening claim 
22 renders claims 22-26 to have allowable subject matter. 

Conclusion 

1 1 . THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1. 136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS fi'om the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until afl:er 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated firom the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS fi'om the mailing 
date of this final action. 

Telephone Inquiry Contacts 
Any inquiry concerning this communication or earlier communications fi*om the 
examiner should be directed to Justin T. Darrow whose telephone nimiber is (571) 272-3801, and 
whose electronic mail address is justin.darrow@uspto.gov. The examiner can normally be 
reached Monday-Friday from 8:30 AM to 5:00 PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, Jr., can be reached at (571) 272-3799. 

The fax number for Formal or Official faxes to Technology Center 2100 is (703) 872- 
9306. In order for a formal paper transmitted by fax to be entered into the application file, the 
paper and/or fax cover sheet must be signed by a representative for the applicant. Faxed formal 
papers for application file entry, such as amendments adding claims, extensions of time, and 
statutory disclaimers for which fees must be charged before entry, must be transmitted with an 
authorization to charge a deposit account to cover such fees. It is also recommended that the 
cover sheet for the fax of a formal paper have printed "OFFICIAL FAX". Formal papers 
transmitted by fax usually require three business days for entry into the application file and 
consideration by the examiner. Formal or Official faxes including amendments after final 
rejection (37 CFR 1.116) should be submitted to (703) 872-9306 for expedited entry into the 
application file. It is further recommended that the cover sheet for the fax containing an 
amendment after final rejection have printed not only "OFFICIAL FAX" but also 
"AMENDMENT AFTER FINAL". 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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Any inquiry of a general nature or relating to the status of this application should be 
directed to the Group receptionist whose telephone number is (571) 272-2100. 



April 17, 2005 



JUSTIN T. DARROW 
PRIMARY EXAMINER 
TECHNOLOGY CENTER 2100 



